Re: Evaluation: draft-ietf-dnsext-ad-is-secure

["Jeffrey I. Schiller" <jis@mit.edu>]

How about:

"A server MUST not set the AD bit unless it knows that a secure 
transport is in use between it and the requesting client."

			-Jeff

Randy Bush wrote:
> > Whats worse then insecure DNS is something marketed as "Secure" DNS that 
> > isn't....
>
>    The AD bit SHOULD be used by the local resolver if and only if it has
>    been explicitly configured to trust the remote resolver.  The AD bit
>    SHOULD be ignored when the remote resolver is not trusted.
>
> we give you the gun.  your choice to use it.
>
> neither smb nor i were happy with this document.  but no one saw a
> really good way to do this.
>
> randy